Bugs in Mobile Credit Card Readers Could Expose Buyers

The tiny, portable credit card readers you use to pay at farmer's markets, bake sales, and smoothie shops are convenient for consumers and merchants alike. But while more and more transactions are passing through them, devices sold by four of the leading companies in the space—Square, SumUp, iZettle, and PayPal—turn out to have a variety of concerning security flaws.

Leigh-Anne Galloway and Tim Yunusov from the security firm Positive Technologies looked at seven mobile point of sale devices in all. What they found wasn't pretty: bugs that allowed them to manipulate commands using Bluetooth or mobile apps, modify payment amounts in magstripe swipe transactions, and even gain full remote control of a point of sale device.

"The very simple question that we had was how much security can be embedded in a device that costs less than $50?" Galloway says. "With that in mind we started off quite small by looking at two vendors and two card readers, but it quickly grew to become a much bigger project."

All four manufacturers are addressing the issue, and not all models were vulnerable to all of the bugs. In the case of Square and PayPal, the vulnerabilities were found in third-party hardware made by a company called Miura. The researchers are presenting their findings Thursday at the Black Hat security conference.

Recommended For You

The researchers found that they could exploit bugs in Bluetooth and mobile app connectivity to the devices to intercept transactions or modify commands. The flaws could allow an attacker to disable chip-based transactions, forcing customers to use a less secure magstrip swipe, and making it easier to steal data and clone customer cards.

'How much security can be embedded in a device that costs less than $50?'

Leigh-Anne Galloway, Positive Technologies

Alternatively, a rogue merchant could make the mPOS device appear to decline a transaction to get a user to repeat it multiple times, or to change the total of a magstripe transaction up to the $50,000 limit. By intercepting the traffic and clandestinely modifying the value of the payment, an attacker could get a customer to approve a normal-looking transaction that is really worth much more. In these types of frauds, customers rely on their banks and credit card issuers to insure their losses, but magstripe is a deprecated protocol, and businesses who continue to use it now hold the liability.

The researchers also reported issues with firmware validation and downgrading that could allow an attacker to install old or tainted firmware versions, further exposing the devices.

The researchers found that in the Miura M010 Reader, which Square and Paypal formerly sold as a third-party device, they could exploit connectivity flaws to gain full remote code execution and file system access in the reader. Galloway notes that a third-party attacker might particularly want to use this control to change the mode of a PIN pad from encrypted to plaintext, known as "command mode," to observe and collect customer PIN numbers.

The researchers evaluated accounts and devices used in the US and European regions, since they're configured differently in each place. And while all of the terminals the researchers tested contained at least some vulnerabilities, the worst of it was limited to just a few of them.

"The Miura M010 Reader is a third-party credit card chip reader that we initially offered as a stopgap and today is used by only a few hundred Square sellers. As soon as we became aware of a vulnerability affecting the Miura Reader, we accelerated existing plans to drop support for the M010 Reader," a Square spokesperson told WIRED. "Today it is no longer possible to use the Miura Reader on the Square ecosystem."

"SumUp can confirm that there has never been any fraud attempted through its terminals using the magnetic stripe-based method outlined in this report," said a SumUp spokesperson. "All the same, as soon as the researchers contacted us, our team successfully removed any possibility of such an attempt at fraud in the future."

"We recognize the important role that researchers and our user community play in helping to keep PayPal secure," a spokesperson said in a statement. "PayPal’s systems were not impacted and our teams have remediated the issues."

iZettle did not return a request from WIRED for comment, but the researchers say that the company is remediating its bugs as well.

Galloway and Yunusov were happy with the proactive response from vendors. They hope, though, that their findings will raise awareness about the broader issue of making security a development priority for low cost embedded devices.

"The kind of issues we see with this market base you can see applying more broadly to IoT," Galloway says. "With something like a card reader you would have an expectation of a certain level of security as a consumer or a business owner. But many of these companies haven’t been around for that long and the products themselves aren’t very mature. Security isn’t necessarily going to be embedded into the development process."

Harness the power of trending viral content and skyrocket your visitors and social engagement. This system scans the most popular sites to constantly find the best content to share to SUCK in that traffic on autopilot.

How to Get Started with Encrypted Messaging

It’s 2017! It’s time to start using an encrypted messaging app. Why? Using end-to-end encryption means that no one can see what you’re sharing back and forth.

The Stavrou Method - $1 7-day trialThe Stavrou Method is a comprehensive health/wellness package that has contributions from five experts with over 120 years experience.. It includes
? A Webinar!
? 11 eBooks on the WHYs and HOWs of Health, Wellness, and Fat Loss!
? Videos!
? Meal Plans

TigerPress Volume 4 Theme ClubGet all Tigerpress themes added each month, including the HTML versions and white label functionality, members also receive FREE updates and support, and also receive access to SaaS bonuses added monthly for one low price.

VidRankXpress ScaleA Revolutionary 1-Click Software Turns ANY Video into Endless Traffic Machine That Gets Page 1 Ranking on YouTube and Google and Drives Tons of Traffic from TOP Social Giants on 100% Autopilot.

Uduala eComUduala is a cloud based DFY ecom domination platform where users access winning ecom products plus their facebooks ads. For each winning product; users get description pricing recommendations and markups, competition spy, link to the right dropship suppli

Viral Reach ACEViral Reach Ace supports up to 40 projects, max out your opportunities to make profits. Run and manage multiple Facebook pages as the Ace upgrade gives you the capacity to automate content for 50 Facebook pages on 100% automation.The Ace upgrade also ge

VideoMate RESELLER100% automated video marketing.Get automated content
Get automated traffic
Get automated list building
Get automated social followers
Get automated PROFITSAll using the power of VIDEO

Memester Elite YearlyMemester can create both videos and GIF memes with eye-catching titles including clickbait styles on video. Integrate custom graphics and overlays over live videos for call to actions.Search YouTube videos by keywords and Memester will convert them directl

Viral Reach PRO YEARLYViral Reach Pro is the only Professional Content SAAS app that post and work with a variety of content. Especially content that keeps people on Facebook - Videos, Images and GIFs.
The Pro upgrade super-charges everything. It can Support up to 60 Campaign

Viper Cache Personal License10x your page load speed with viper cache engine...built from the ground up to give you total ease of use and minimum user input and maximum security unlike its competitors.

ThemeMaker Agency LicenceThemeMarker by ProStyler allows you to create your own completely custom WordPress themes without ever messing about with code

Uduala ClickFOMOUduala ClickFOMO helps ecom store owners harness the psychological principle of the herd effect, social proof and fomo - 'the fear of missing out' to double, triple or even quadruple their store conversions. This integrates natively with shopify, woocomme

Mobiflux WhitelabelWith WP Mobiflux you can set up a profitable business even before you run it on your site or campaign.WP Mobiflux is a powerful traffic multiplication system, that will provide your clients with the seed mobile traffic easily. So, just sell WP Mobiflux

VidRankXpress ScaleA Revolutionary 1-Click Software Turns ANY Video into Endless Traffic Machine That Gets Page 1 Ranking on YouTube and Google and Drives Tons of Traffic from TOP Social Giants on 100% Autopilot.

VideoMate PRO single site license100% automated video marketing.Get automated content
Get automated traffic
Get automated list building
Get automated social followers
Get automated PROFITSAll using the power of VIDEO

Mobiflux Pro One TimeMobiflux is the first ever Wordpress plugin that lets you capture and multiply your mobile traffic. It’s twin action system gives you the ultimate in traffic and lead generation no matter what you are marketing online.With Mobiflux PRO you can implement

TigerPress Volume 4 Theme ClubGet all Tigerpress themes added each month, including the HTML versions and white label functionality, members also receive FREE updates and support, and also receive access to SaaS bonuses added monthly for one low price.

Memester Ace MonthlyMemester Ace can support 12 Facebook Groups. Facebook Groups support is not available in the elite version.You also get the capability to work with higher caps.The Memester Ace Version can integrate with 25 Facebook Pages, 8 Facebook Profiles, 10 Twitt

Social Interest Freak ProDesktop Software Fully Compatible for PC and Mac that uses the latest API to allow laser-targeting of Facebook/Instagram Ads at a level that's never been possible before for the Average Joe or Jane, Small Business Owner/Entrepreneur. Activate on up to any 2

Instazon Traffic Combo (3App Bundle)This is a robust combination of pro versions of three of our most successful social media marketing products, Viral Reach, Credi Response and Site Contact.Viral Reach is a powerful Facebook marketing automation software that keeps your Facebook pages s

TigerPress Previous Volumes Second Chance 3Premium one of a kind wordpress themes that do all the onpage seo for you including image seo, with TigerPress themes you can also generate an unlimited amount of geo targeted landing pages in any language.

Viral Reach Elite MonthlyViral Reach is a Facebook marketing 100% automation tool. Once you type in the keyword Viral Reach will get you content from high-authority and non-spammy sources for maximum organic reach and post it on its own.Get the full variety of content including t

TrafficZion ProTrafficZion is a simple-to-setup software that virtually ANYONE can use to start getting consistent FREE traffic on complete autopilot from a reputable free platform for any niche possible.The traffic comes from a legit and overlooked traffic source.

LiteApp Studio - CharterNEW AI Software AUTOMATICALLY Creates Amazing Mobile Apps from ANY Website URL in Minutes, Works on All Browsers AND Can Be Instantly Downloaded and Shared Through Social Media, Text, Email and Q Code, Without Need for Any Android or IOS App Stores!

Social Interest Freak StandardDesktop Software Fully Compatible for PC and Mac that uses the latest API to allow laser-targeting of Facebook/Instagram Ads at a level that's never been possible before for the Average Joe or Jane, Small Business Owner/Entrepreneur. Activate on any 3 compu